From 11bd800e8f528c065f1da3de7c7348e8bc7c414f Mon Sep 17 00:00:00 2001 From: John Johansen Date: Sat, 9 Oct 2021 02:30:41 -0700 Subject: [PATCH] UBUNTU: SAUCE: apparmor4.0.0 [88/90]: apparmor: add fine grained ipv4/ipv6 mediation BugLink: http://bugs.launchpad.net/bugs/2028253 Buglink: https://bugs.launchpad.net/bugs/2056496 Add the ability to mediate inet access at a port and address level. Signed-off-by: John Johansen (cherry picked from commit fefa3cec7db83b9a0dd1a339f7c8d76c0b820ad8 https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next) Signed-off-by: Paolo Pisati --- security/apparmor/Makefile | 2 +- security/apparmor/af_inet.c | 854 ++++++++++++++++++++++++++++ security/apparmor/af_unix.c | 4 +- security/apparmor/include/af_inet.h | 42 ++ security/apparmor/include/net.h | 8 +- security/apparmor/lsm.c | 6 +- security/apparmor/net.c | 9 +- security/apparmor/policy_compat.c | 4 + 8 files changed, 921 insertions(+), 8 deletions(-) create mode 100644 security/apparmor/af_inet.c create mode 100644 security/apparmor/include/af_inet.h diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile index f667ad465459..fd72f6b7702e 100644 --- a/security/apparmor/Makefile +++ b/security/apparmor/Makefile @@ -6,7 +6,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o apparmor-y := apparmorfs.o audit.o capability.o task.o ipc.o lib.o match.o \ path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ resource.o secid.o file.o policy_ns.o label.o mount.o net.o \ - policy_compat.o af_unix.o notify.o + policy_compat.o af_unix.o af_inet.o notify.o apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o obj-$(CONFIG_SECURITY_APPARMOR_KUNIT_TEST) += apparmor_policy_unpack_test.o diff --git a/security/apparmor/af_inet.c b/security/apparmor/af_inet.c new file mode 100644 index 000000000000..0fc8a169f21b --- /dev/null +++ b/security/apparmor/af_inet.c @@ -0,0 +1,854 @@ +/* + * AppArmor security module + * + * This file contains AppArmor inet fine grained mediation + * + * Copyright 2024 Canonical Ltd. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + */ + +#include + +#include "include/audit.h" +#include "include/af_inet.h" +#include "include/apparmor.h" +#include "include/file.h" +#include "include/label.h" +#include "include/path.h" +#include "include/policy.h" +#include "include/cred.h" + + + +static inline aa_state_t RULE_MEDIATES_SK(struct aa_ruleset *rules, + struct sock *sk) +{ + return RULE_MEDIATES_AF(rules, sk->sk_family); +} + + +enum addr_type { + ADDR_LOCAL = 0, + ADDR_LOCAL_PRIV = 1, + ADDR_REMOTE = 2, +}; + +struct match_addr { + const char *addrp; + enum addr_type addrtype; + int len; + __be16 port; +}; + +struct stored_match_addr { + struct sockaddr addr; + int addrlen; + struct match_addr maddr; +}; + +static void set_ad_create(struct apparmor_audit_data *ad, + int family, int type, int protocol) +{ + ad->common.u.net->family = family; + ad->net.type = type; + ad->net.protocol = protocol; +} + +static int set_ad_addr(struct apparmor_audit_data *ad, + u16 family, bool source, struct match_addr *maddr) +{ + ad->common.u.net->family = family; + + if (source) { + ad->common.u.net->sport = maddr->port; + if (maddr->addrp) { + if (family == AF_INET) + //ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; + ad->common.u.net->v4info.saddr = *(__be32 *)maddr->addrp; + else + //ad.u.net->v4info.saddr = addr6->sin6_addr.s6_addr; + ad->common.u.net->v6info.saddr = *(struct in6_addr *)maddr->addrp; + } + } else { + ad->common.u.net->dport = maddr->port; + if (maddr->addrp) { + if (family == AF_INET) + //ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; + ad->common.u.net->v4info.daddr = *(__be32 *)maddr->addrp; + else + //ad.u.net->v4info.saddr = addr6->sin6_addr.s6_addr; + ad->common.u.net->v6info.daddr = *(struct in6_addr *)maddr->addrp; + } + } + return 0; +} + +/* returns 0 on success +* raw_port - if set raw_port (protocol) when SOCK_RAW */ +static int map_addr(struct sockaddr *addr, int addrlen, u16 raw_port, + enum addr_type addrtype, struct match_addr *maddr, + struct apparmor_audit_data *ad) +{ + struct sockaddr_in *addr4 = NULL; + struct sockaddr_in6 *addr6 = NULL; + + AA_BUG(!maddr); + + maddr->addrtype = addrtype; + if (!addr) { + maddr->addrp = NULL; + maddr->port = 0; + maddr->len = 0; + return 0; + } + if (addrlen < offsetofend(struct sockaddr, sa_family)) + return -EINVAL; + + /* + * its possibly to have sk->sk_family == PF_INET6 and + * addr->sa_family == AF_INET. sk_family is used for socket + * mediation, sa_family for when we have address ... + */ + switch (addr->sa_family) { + case AF_INET: + addr4 = (struct sockaddr_in *)addr; + if (addrlen < sizeof(struct sockaddr_in)) + return -EINVAL; + maddr->port = addr4->sin_port; + maddr->addrp = (char *)&addr4->sin_addr.s_addr; + maddr->len = 4; + break; + case AF_INET6: + addr6 = (struct sockaddr_in6 *)addr; + if (addrlen < SIN6_LEN_RFC2133) + return -EINVAL; + maddr->port = addr6->sin6_port; + maddr->addrp = (char *)&addr6->sin6_addr.s6_addr; + maddr->len = 16; + break; + default: + return -EAFNOSUPPORT; + } + /* per ip spec, && sk->sk_type == SOCK_RAW*/ + if (raw_port && addrtype != ADDR_REMOTE) + maddr->port = raw_port; + if (ad) + set_ad_addr(ad, addr->sa_family, addrtype != ADDR_REMOTE, maddr); + + return 0; +} + +/* -ENOTCONN if not connected */ +static int map_sock_addr(struct socket *sock, enum addr_type addrtype, + struct stored_match_addr *maddr, + struct apparmor_audit_data *ad) +{ + /* do we need early bailout for !family ... */ + maddr->addrlen = sock->ops->getname(sock, (struct sockaddr *) &maddr->addr, addrtype != ADDR_REMOTE ? 0 : 1); + if (maddr->addrlen == -ENOTCONN) { + maddr->addrlen = 0; + return map_addr(NULL, 0, 0, addrtype, &maddr->maddr, ad); + } else if (maddr->addrlen < 0) + return maddr->addrlen; + return map_addr(&maddr->addr, maddr->addrlen, 0, addrtype, + &maddr->maddr, ad); +} + +/* TODO: combine with connect map addr */ +/* TODO: raw_port */ +static int bind_map_addr(struct sock *sk, struct sockaddr *addr, int addrlen, + struct match_addr *maddr, + struct apparmor_audit_data *ad) +{ + struct sockaddr_in *addr4 = NULL; + struct sockaddr_in6 *addr6 = NULL; + u16 family; + + AA_BUG(!addr); + AA_BUG(!maddr); + + if (addrlen < offsetofend(struct sockaddr, sa_family)) + return -EINVAL; + + maddr->addrtype = ADDR_LOCAL; + /* + * its possibly to have sk->sk_family == PF_INET6 and + * addr->sa_family == AF_INET. sk_family is used for socket + * mediation, sa_family for when we have address ... + */ + family = addr->sa_family; + switch (addr->sa_family) { + case AF_UNSPEC: + if (sk->sk_family == PF_INET6) { + /* Length check from inet6_bind_sk() */ + if (addrlen < SIN6_LEN_RFC2133) + return -EINVAL; + /* Family check from __inet6_bind() */ + return -EAFNOSUPPORT; + } + /* see __inet_bind(), we only want to allow + * AF_UNSPEC if the address is INADDR_ANY + */ + if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) + return -EAFNOSUPPORT; + family = AF_INET; + fallthrough; + case AF_INET: + addr4 = (struct sockaddr_in *)addr; + if (addrlen < sizeof(struct sockaddr_in)) + return -EINVAL; + maddr->port = addr4->sin_port; + maddr->addrp = (char *)&addr4->sin_addr.s_addr; + maddr->len = 4; + break; + case AF_INET6: + addr6 = (struct sockaddr_in6 *)addr; + if (addrlen < SIN6_LEN_RFC2133) + return -EINVAL; + maddr->port = addr6->sin6_port; + maddr->addrp = (char *)&addr6->sin6_addr.s6_addr; + maddr->len = 16; + break; + default: + return -EAFNOSUPPORT; + } + + if (ad) + set_ad_addr(ad, family, true, maddr); + + return 0; +} + +/* only continue match if + * insufficient current perms at current state + * indicates there are more perms in later state + * Returns: perms struct if early match + */ +static struct aa_perms *early_match(struct aa_policydb *policy, + aa_state_t state, u32 request) +{ + struct aa_perms *p; + + p = aa_lookup_perms(policy, state); + if (((p->allow & request) != request) && (p->allow & AA_CONT_MATCH)) + return NULL; + return p; +} + +static int do_perms(struct aa_profile *profile, aa_state_t state, u32 request, + struct aa_perms *p, struct apparmor_audit_data *ad) +{ + struct aa_ruleset *rules = list_first_entry(&profile->rules, + typeof(*rules), list); + struct aa_perms perms; + + AA_BUG(!profile); + + if (state || !p) + p = aa_lookup_perms(rules->policy, state); + perms = *p; + aa_apply_modes_to_perms(profile, &perms); + return aa_check_perms(profile, &perms, request, ad, + audit_net_cb); +} + +static aa_state_t match_addr(struct aa_dfa *dfa, aa_state_t state, + struct match_addr *maddr) +{ + char l = (char) maddr->addrtype; + + state = aa_dfa_match_len(dfa, state, &l, 1); + state = aa_dfa_match_len(dfa, state, (char *)&maddr->port, 2); + if (maddr->len == 0 && !maddr->addrp) { + l = 0; + } else if (maddr->len == 4) { + l = 1; + } else if (maddr->len == 16) { + l = 2; + } else { + AA_BUG("address length unsupported"); + return 0; + } + state = aa_dfa_match_len(dfa, state, &l, 1); + if (maddr->addrp) + state = aa_dfa_match_len(dfa, state, maddr->addrp, maddr->len); + /* null transition between addr and label */ + state = aa_dfa_null_transition(dfa, state); + + return state; +} + + +static aa_state_t match_addr_info(struct aa_dfa *dfa, aa_state_t state, + struct match_addr *maddr, + const char **info) +{ + state = match_addr(dfa, state, maddr); + if (!state) { + *info = maddr->addrtype == ADDR_REMOTE ? + "failed remote addr match" : + "failed local addr match"; + } + + return state; +} + +static aa_state_t match_addr_label(struct aa_policydb *policy, aa_state_t state, + u32 request, struct match_addr *maddr, + struct aa_perms **p, const char **info) +{ + state = match_addr_info(policy->dfa, state, maddr, info); + *p = early_match(policy, state, request); + if (!*p) { + /* TODO: actual label match: */ + if (!state) { + *info = maddr->addrtype == ADDR_REMOTE ? + "failed remote label match" : + "failed local label match"; + } + + /* null transition after label match */ + state = aa_dfa_null_transition(policy->dfa, state); + } + + return state; +} + + +/* passing in state returned by PROFILE_MEDIATES_AF */ +static aa_state_t match_to_prot(struct aa_policydb *policy, aa_state_t state, + u32 request, int type, int protocol, + struct aa_perms **p, const char **info) +{ + __be16 buffer; + buffer = cpu_to_be16((u16)type); + state = aa_dfa_match_len(policy->dfa, state, (char *) &buffer, 2); + if (!state) + *info = "failed type match"; + *p = early_match(policy, state, request); + if (!*p) { + buffer = cpu_to_be16((u16)protocol); + state = aa_dfa_match_len(policy->dfa, state, (char *) &buffer, + 2); + if (!state) + *info = "failed protocol match"; + } + return state; +} + +static aa_state_t match_to_sk(struct aa_policydb *policy, aa_state_t state, + u32 request, struct sock *sk, + struct match_addr *maddr, + struct aa_perms **p, const char **info) +{ + *p = NULL; + state = match_to_prot(policy, state, request, sk->sk_type, + sk->sk_protocol, p, info); + if (*p || !state) + return state; + return match_addr_label(policy, state, request, maddr, p, info); +} + +enum cmd_type { + CMD_ADDR = 1, + CMD_LISTEN = 2, + CMD_OPT = 4, +}; + +static inline aa_state_t match_to_cmd(struct aa_policydb *policy, + aa_state_t state, u32 request, + struct sock *sk, enum cmd_type cmd, + struct match_addr *maddr, + struct aa_perms **p, const char **info) +{ + state = match_to_sk(policy, state, request, sk, maddr, p, info); + if (!*p && state) { + char c = (char) cmd; + state = aa_dfa_match_len(policy->dfa, state, &c, 1); + if (!state) + *info = "failed cmd selection match"; + } + + return state; +} + +/* +static int match_label(struct aa_profile *profile, struct aa_profile *peer, + aa_state_t state, u32 request, + struct apparmor_audit_data *ad) +{ + AA_BUG(!profile); + AA_BUG(!peer); + + ad->peer = &peer->label; + + if (state) { + state = aa_dfa_match(profile->policy.dfa, state, + peer->base.hname); + if (!state) + ad->info = "failed peer label match"; + } + return do_perms(profile, state, request, ad); +} +*/ + +/* ---------------------------------------------------------------------- */ + + + +static inline int profile_sk_perm(struct aa_profile *profile, u32 request, + struct sock *sk, struct match_addr *maddr, + struct apparmor_audit_data *ad) +{ + struct aa_ruleset *rules = list_first_entry(&profile->rules, + typeof(*rules), + list); + struct aa_perms *p = NULL; + aa_state_t state; + + AA_BUG(!profile); + AA_BUG(!sk); + + state = RULE_MEDIATES_AF(rules, sk->sk_family); + if (state) { + state = match_to_sk(rules->policy, state, request, sk, + maddr, &p, &ad->info); + return do_perms(profile, state, request, p, ad); + } + + return aa_profile_af_sk_perm(profile, ad, request, sk); +} + +/* no kernel_t bailout */ +static int profile_create_perm(struct aa_profile *profile, int family, + int type, int protocol, + struct apparmor_audit_data *ad) +{ + struct aa_ruleset *rules = list_first_entry(&profile->rules, + typeof(*rules), list); + struct aa_perms *p = NULL; + aa_state_t state; + + AA_BUG(!profile); + + state = RULE_MEDIATES_AF(rules, family); + if (state) { + state = match_to_prot(rules->policy, state, AA_MAY_CREATE, + type, protocol, &p, &ad->info); + return do_perms(profile, state, AA_MAY_CREATE, p, ad); + } + + return aa_profile_af_perm(profile, ad, AA_MAY_CREATE, family, type); +} + + +/* sendmsg/rcvmsg/connect */ +static int profile_remote_perm(struct aa_profile *profile, struct sock *sk, + u32 request, struct match_addr *raddr, + struct match_addr *laddr, + struct apparmor_audit_data *ad) +{ + struct aa_ruleset *rules = list_first_entry(&profile->rules, + typeof(*rules), list); + struct aa_perms *p = NULL; + aa_state_t state; + + AA_BUG(!profile); + AA_BUG(!sk); + AA_BUG(!raddr); + AA_BUG(!laddr); + AA_BUG(sk->sk_family != PF_INET && sk->sk_family != PF_INET6, + "family=%d", sk->sk_family); + + state = RULE_MEDIATES_SK(rules, sk); + if (!state) + return aa_profile_af_sk_perm(profile, ad, request, sk); + + /* TODO: deal with sa_family vs. sk_family */ + state = match_to_cmd(rules->policy, state, request, sk, CMD_ADDR, + raddr, &p, &ad->info); + if (state && !p) + /* check if perm is restricted to a pairing */ + state = match_addr_label(rules->policy, state, request, + laddr, &p, &ad->info); + return do_perms(profile, state, request, p, ad); +} + +static int profile_bind_perm(struct aa_profile *profile, struct sock *sk, + struct match_addr *maddr, + struct apparmor_audit_data *ad) +{ + struct aa_ruleset *rules = list_first_entry(&profile->rules, + typeof(*rules), list); + struct aa_perms *p = NULL; + aa_state_t state; + unsigned short sport; + + AA_BUG(!profile); + AA_BUG(!sk); + AA_BUG(!maddr); + AA_BUG(sk->sk_family != PF_INET && sk->sk_family != PF_INET6, + "family=%d", sk->sk_family); + + state = RULE_MEDIATES_SK(rules, sk); + if (!state) + return aa_profile_af_sk_perm(profile, ad, AA_MAY_BIND, sk); + + /* + * its possibly to have sk->sk_family == PF_INET6 and + * addr->sa_family == AF_INET + */ + sport = ntohs(maddr->port); + if (sport) { + if (inet_port_requires_bind_service(sock_net(sk), sport)) { + /* cap NET_BIND_SERVICE will get raised */ + maddr->addrtype = ADDR_LOCAL_PRIV; + } + } + state = match_to_sk(rules->policy, state, AA_MAY_BIND, sk, + maddr, &p, &ad->info); + return do_perms(profile, state, AA_MAY_BIND, p, ad); +} + +static int profile_listen_perm(struct aa_profile *profile, struct sock *sk, + struct match_addr *maddr, int backlog, + struct apparmor_audit_data *ad) +{ + struct aa_ruleset *rules = list_first_entry(&profile->rules, + typeof(*rules), list); + struct aa_perms *p = NULL; + aa_state_t state; + + AA_BUG(!profile); + AA_BUG(!sk); + AA_BUG(!maddr); + AA_BUG(sk->sk_family != PF_INET && sk->sk_family != PF_INET6, + "family=%d", sk->sk_family); + + state = RULE_MEDIATES_SK(rules, sk); + if (state) { + __be16 b = htons(backlog); + + state = match_to_cmd(rules->policy, state, AA_MAY_LISTEN, sk, + CMD_LISTEN, maddr, &p, &ad->info); + if (state && !p) { + state = aa_dfa_match_len(rules->policy->dfa, state, + (char *) &b, 2); + if (!state) + ad->info = "failed listen backlog match"; + } + return do_perms(profile, state, AA_MAY_LISTEN, p, ad); + } + + return aa_profile_af_sk_perm(profile, ad, AA_MAY_LISTEN, sk); +} + +static inline int profile_accept_perm(struct aa_profile *profile, + struct sock *sk, struct match_addr *maddr, + struct sock *newsk, + struct apparmor_audit_data *ad) +{ + struct aa_ruleset *rules = list_first_entry(&profile->rules, + typeof(*rules), list); + struct aa_perms *p = NULL; + aa_state_t state; + + AA_BUG(!profile); + AA_BUG(!sk); + /* AA_BUG(!newsk); newsk can be null here, since not using atm ... */ + AA_BUG(!maddr); + AA_BUG(sk->sk_family != PF_INET && sk->sk_family != PF_INET6, + "family=%d", sk->sk_family); + + state = RULE_MEDIATES_SK(rules, sk); + if (state) { + state = match_to_sk(rules->policy, state, AA_MAY_ACCEPT, sk, + maddr, &p, &ad->info); + return do_perms(profile, state, AA_MAY_ACCEPT, p, ad); + } + + return aa_profile_af_sk_perm(profile, ad, AA_MAY_ACCEPT, sk); +} + +/* getopt/setopt */ +static int profile_opt_perm(struct aa_profile *profile, u32 request, + struct sock *sk, struct match_addr *maddr, + int level, int optname, + struct apparmor_audit_data *ad) +{ + struct aa_ruleset *rules = list_first_entry(&profile->rules, + typeof(*rules), list); + struct aa_perms *p = NULL; + aa_state_t state; + + AA_BUG(!profile); + AA_BUG(!sk); + AA_BUG(!maddr); + AA_BUG(sk->sk_family != PF_INET && sk->sk_family != PF_INET6, + "family=%d", sk->sk_family); + + state = RULE_MEDIATES_SK(rules, sk); + if (state) { + __be16 l = htons(l); + __be16 n = htons(optname); + + state = match_to_cmd(rules->policy, state, request, sk, + CMD_OPT, maddr, &p, &ad->info); + if (state && !p) { + state = aa_dfa_match_len(rules->policy->dfa, state, + (char *) &l, 2); + state = aa_dfa_match_len(rules->policy->dfa, state, + (char *) &n, 2); + if (!state) + ad->info = "failed sockopt match"; + } + return do_perms(profile, state, request, p, ad); + } + + return aa_profile_af_sk_perm(profile, ad, request, sk); +} + +/* ---------------------------------------------------------------------- */ + +// TODO: cleanup init to use recursion, so we can have N init fns, in 1 macro +// TODO: lift DEFINE_AUDIT out of macro into init fn??? + +/* no kernel_t bailout */ +#define label_sk_has_perm2(CRED, LABEL, SOCKSK, OP, REQUEST, PROFILE, AAD, XXXX, YYYY, CALLBACKFN) \ +({ \ + int __EERROR = 0; \ + if (label_mediates(LABEL, AA_CLASS_NET)) { \ + struct aa_profile *PROFILE; \ + DEFINE_AUDIT_SK(AAD, OP, SOCKSK); \ + (AAD).subj_cred = (CRED); \ + __EERROR = (XXXX); \ + if (__EERROR == 0) { \ + __EERROR = (YYYY); \ + if (__EERROR == 0) { \ + __EERROR = fn_for_each(label, PROFILE, \ + (CALLBACKFN)); \ + } \ + } \ + } \ + __EERROR; \ +}) + +/* no kernel_t bailout */ +#define label_sk_has_perm(CRED, LABEL, SOCKSK, OP, REQUEST, PROFILE, AAD, CALLBACKFN) \ + label_sk_has_perm2(CRED, LABEL, SOCKSK, OP, REQUEST, PROFILE, AAD, \ + 0, 0, CALLBACKFN) + +/* no kernel_t bailout */ +#define label_sk_has_perm1(CRED, LABEL, SOCKSK, OP, REQUEST, PROFILE, AAD, XXXX, CALLBACKFN) \ + label_sk_has_perm2(CRED, LABEL, SOCKSK, OP, REQUEST, PROFILE, AAD, \ + XXXX, 0, CALLBACKFN) + + +/* Early bailout for kernel_t - 2 init args before callback */ +#define sk_has_perm2(SOCKSK, OP, REQUEST, PROFILE, AAD, XXXXY, YYYYX, CALLBACKFN) \ +({ \ + struct aa_label *label; \ + struct aa_sk_ctx *ctx= aa_sock(SOCKSK); \ + int __ERROR = 0; \ + if (ctx->label != kernel_t) { \ + \ + label = begin_current_label_crit_section(); \ + __ERROR = label_sk_has_perm2(current_cred(), label, SOCKSK, OP, REQUEST, PROFILE, AAD, XXXXY, YYYYX, CALLBACKFN); \ + end_current_label_crit_section(label); \ + } \ + __ERROR; \ +}) + +/* Early bailout for kernel_t - no init args before callback */ +#define sk_has_perm(SOCKSK, OP, REQUEST, PROFILE, AAD, CALLBACKFN) \ + sk_has_perm2(SOCKSK, OP, REQUEST, PROFILE, AAD, 0, 0, CALLBACKFN) + + +/* Early bailout for kernel_t - 1 init arg before callback */ +#define sk_has_perm1(SOCKSK, OP, REQUEST, PROFILE, AAD, XXXXY, CALLBACKFN) \ + sk_has_perm2(SOCKSK, OP, REQUEST, PROFILE, AAD, XXXXY, 0, CALLBACKFN) + + + +/* no kernel_t early bailout */ +/* NOTE: already lifted label_mediates into lsm.c */ +int aa_inet_create_perm(struct aa_label *label, int family, int type, + int protocol) +{ + struct aa_profile *profile; + int error = 0; + DEFINE_AUDIT_NET(ad, OP_CREATE, NULL, family, type, protocol); + + ad.subj_cred = current_cred(); + set_ad_create(&ad, family, type, protocol); + error = fn_for_each(label, profile, + profile_create_perm(profile, family, type, + protocol, &ad)); + + + return error; +} + +int aa_inet_bind_perm(struct socket *sock, struct sockaddr *addr, + int addrlen) +{ + struct match_addr maddr; + + return sk_has_perm1(sock->sk, OP_BIND, AA_MAY_BIND, profile, ad, + bind_map_addr(sock->sk, addr, addrlen, &maddr, + &ad), + profile_bind_perm(profile, sock->sk, &maddr, &ad)); +} + + +int aa_inet_connect_perm(struct socket *sock, struct sockaddr *addr, + int addrlen) +{ + struct stored_match_addr laddr; + struct match_addr raddr; + + /* disconnect socket */ + if (addr->sa_family == AF_UNSPEC) + return 0; + if (addrlen < offsetofend(struct sockaddr, sa_family)) + return -EINVAL; + + /* do we need early bailout for !family ... */ + return sk_has_perm2(sock->sk, OP_CONNECT, AA_MAY_CONNECT, profile, ad, + map_sock_addr(sock, ADDR_LOCAL, &laddr, &ad), + map_addr(addr, addrlen, 0, ADDR_REMOTE, &raddr, + &ad), + profile_remote_perm(profile, sock->sk, + AA_MAY_CONNECT, &raddr, + &laddr.maddr, &ad)); +} + +int aa_inet_listen_perm(struct socket *sock, int backlog) +{ + struct stored_match_addr maddr; + + /* do we need early bailout for !family ... */ + return sk_has_perm1(sock->sk, OP_LISTEN, AA_MAY_LISTEN, profile, ad, + map_sock_addr(sock, ADDR_LOCAL, &maddr, &ad), + profile_listen_perm(profile, sock->sk, &maddr.maddr, + backlog, &ad)); +} + +/* ability of sock to connect, not peer address binding */ +int aa_inet_accept_perm(struct socket *sock, struct socket *newsock) +{ + struct stored_match_addr maddr; + int error; + + error = sk_has_perm1(sock->sk, OP_ACCEPT, AA_MAY_ACCEPT, profile, ad, + map_sock_addr(sock, ADDR_LOCAL, &maddr, &ad), + profile_accept_perm(profile, sock->sk, + &maddr.maddr, + newsock->sk, &ad)); + + /* selinux updates inode - need to investigate this more */ + return error; +} + +/* sendmsg, recvmsg. */ +int aa_inet_msg_perm(const char *op, u32 request, struct socket *sock, + struct msghdr *msg, int size) +{ + struct stored_match_addr laddr; + struct match_addr raddr; + + /* do we need early bailout for !family ... */ + return sk_has_perm2(sock->sk, op, request, profile, ad, + map_sock_addr(sock, ADDR_LOCAL, &laddr, &ad), + map_addr(msg->msg_name, msg->msg_namelen, 0, + ADDR_REMOTE, &raddr, &ad), + profile_remote_perm(profile, sock->sk, request, + &raddr, &laddr.maddr, &ad)); +} + +/* getopt, setopt */ +int aa_inet_opt_perm(const char *op, u32 request, struct socket *sock, + int level, int optname) +{ + struct stored_match_addr maddr; + + return sk_has_perm1(sock->sk, op, request, profile, ad, + map_sock_addr(sock, ADDR_LOCAL, &maddr, &ad), + profile_opt_perm(profile, request, sock->sk, + &maddr.maddr, level, optname, &ad)); +} + +static int inet_label_sock_perm(const struct cred *cred, struct aa_label *label, + const char *op, u32 request, + struct socket *sock) +{ + struct stored_match_addr maddr; + + return label_sk_has_perm1(cred, label, sock->sk, op, request, profile, + ad, + map_sock_addr(sock, ADDR_LOCAL, &maddr, &ad), + profile_sk_perm(profile, request, sock->sk, + &maddr.maddr, &ad)); +} + +/* revaliation, get/set attr/getsockname/peername */ +int aa_inet_sock_perm(const char *op, u32 request, struct socket *sock) +{ + struct aa_sk_ctx *ctx= aa_sock(sock->sk); + struct aa_label *label; + int error; + + if (ctx->label == kernel_t) + return 0; + + label = begin_current_label_crit_section(); + error = inet_label_sock_perm(current_cred(), label, op, request, sock); + end_current_label_crit_section(label); + + return error; +} + +int aa_inet_file_perm(const struct cred *subj_cred, struct aa_label *label, + const char *op, u32 request, struct socket *sock) +{ + u32 sk_req = request & ~NET_PEER_MASK; + struct stored_match_addr laddr; + struct sock *sk = sock->sk; + int error = 0; + + AA_BUG(!label); + AA_BUG(!sock); + AA_BUG(!sock->sk); + AA_BUG(sk->sk_family != PF_INET && sk->sk_family != PF_INET6, + "family=%d", sk->sk_family); + + /* access to the local sock */ + error = label_sk_has_perm1(subj_cred, label, sock->sk, op, request, + profile, ad, + map_sock_addr(sock, ADDR_LOCAL, &laddr, &ad), + profile_sk_perm(profile, sk_req, sock->sk, &laddr.maddr, + &ad)); + + if (!error) { + struct stored_match_addr laddr, raddr; + + /* TODO: have ad here: instead of in CB so we do have to redo */ + error = map_sock_addr(sock, ADDR_REMOTE, &raddr, NULL); + if (!error && raddr.maddr.addrp) { + error = label_sk_has_perm1(subj_cred, label, sock->sk, + op, request, profile, ad, + set_ad_addr(&ad, raddr.addr.sa_family, + false, &raddr.maddr), + profile_remote_perm(profile, sock->sk, + request, + &raddr.maddr, + &laddr.maddr, &ad)); + } + } + + return error; +} diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c index d74d074d86de..5b24b864854e 100644 --- a/security/apparmor/af_unix.c +++ b/security/apparmor/af_unix.c @@ -243,8 +243,8 @@ static int profile_create_perm(struct aa_profile *profile, int family, state = RULE_MEDIATES_AF(rules, AF_UNIX); if (state) { - state = match_to_prot(rules->policy->dfa, state, type, protocol, - &ad.info); + state = match_to_prot(rules->policy->dfa, state, type, + protocol, &ad.info); return do_perms(profile, rules, state, AA_MAY_CREATE, &ad); } diff --git a/security/apparmor/include/af_inet.h b/security/apparmor/include/af_inet.h new file mode 100644 index 000000000000..c0e32ec55c05 --- /dev/null +++ b/security/apparmor/include/af_inet.h @@ -0,0 +1,42 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * AppArmor security module + * + * This file contains AppArmor af_unix fine grained mediation + * + * Copyright 2024 Canonical Ltd. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + */ +#ifndef __AA_AF_INET_H + +#include "label.h" + +int aa_inet_peer_perm(const struct cred *subj_cred, + struct aa_label *label, const char *op, u32 request, + struct sock *sk, struct sock *peer_sk, + struct aa_label *peer_label); +int aa_inet_label_sk_perm(const struct cred *subj_cred, + struct aa_label *label, const char *op, u32 request, + struct sock *sk); +int aa_inet_sock_perm(const char *op, u32 request, struct socket *sock); +int aa_inet_create_perm(struct aa_label *label, int family, int type, + int protocol); +int aa_inet_bind_perm(struct socket *sock, struct sockaddr *address, + int addrlen); +int aa_inet_connect_perm(struct socket *sock, struct sockaddr *address, + int addrlen); +int aa_inet_listen_perm(struct socket *sock, int backlog); +int aa_inet_accept_perm(struct socket *sock, struct socket *newsock); +int aa_inet_msg_perm(const char *op, u32 request, struct socket *sock, + struct msghdr *msg, int size); +int aa_inet_opt_perm(const char *op, u32 request, struct socket *sock, int level, + int optname); +int aa_inet_file_perm(const struct cred *subj_cred, + struct aa_label *label, const char *op, u32 request, + struct socket *sock); + +#endif /* __AA_AF_INET_H */ diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h index 88992484f88e..dafc62dc72ed 100644 --- a/security/apparmor/include/net.h +++ b/security/apparmor/include/net.h @@ -78,6 +78,8 @@ static inline struct aa_sk_ctx *aa_sock(const struct sock *sk) DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \ (SK)->sk_protocol) + + /* struct aa_net - network confinement data * @allow: basic network families permissions * @audit: which network permissions to force audit @@ -93,9 +95,13 @@ struct aa_net_compat { ({ \ int __e; \ switch ((FAMILY)) { \ - case AF_UNIX: \ + case PF_UNIX: \ __e = aa_unix_ ## FN; \ break; \ + case PF_INET: \ + case PF_INET6: \ + __e = aa_inet_ ## FN; \ + break; \ default: \ __e = DEF_FN; \ } \ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 0fa290efd2b3..9bb1ebd03968 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -29,6 +29,7 @@ #include #include "include/af_unix.h" +#include "include/af_inet.h" #include "include/apparmor.h" #include "include/apparmorfs.h" #include "include/audit.h" @@ -1408,8 +1409,11 @@ static int apparmor_socket_create(int family, int type, int protocol, int kern) AA_BUG(in_interrupt()); + if (kern) + return 0; + label = begin_current_label_crit_section(); - if (!kern && label_mediates(label, AA_CLASS_NET)) + if (label_mediates(label, AA_CLASS_NET)) error = af_select(family, create_perm(label, family, type, protocol), aa_af_perm(current_cred(), label, diff --git a/security/apparmor/net.c b/security/apparmor/net.c index 91864fad379e..7e6c17fd7190 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -9,6 +9,7 @@ */ #include "include/af_unix.h" +#include "include/af_inet.h" #include "include/apparmor.h" #include "include/audit.h" #include "include/cred.h" @@ -22,6 +23,7 @@ struct aa_sfs_entry aa_sfs_entry_network[] = { AA_SFS_FILE_STRING("af_mask", AA_SFS_AF_MASK), + AA_SFS_FILE_BOOLEAN("af_inet", 1), { } }; @@ -126,12 +128,12 @@ void audit_net_cb(struct audit_buffer *ab, void *va) audit_log_format(ab, " protocol=%d", ad->net.protocol); if (ad->request & NET_PERMS_MASK) { - audit_log_format(ab, " requested_mask="); + audit_log_format(ab, " requested="); aa_audit_perm_mask(ab, ad->request, NULL, 0, net_mask_names, NET_PERMS_MASK); if (ad->denied & NET_PERMS_MASK) { - audit_log_format(ab, " denied_mask="); + audit_log_format(ab, " denied="); aa_audit_perm_mask(ab, ad->denied, NULL, 0, net_mask_names, NET_PERMS_MASK); } @@ -183,7 +185,8 @@ int aa_profile_af_perm(struct aa_profile *profile, (char *) &buffer, 4); perms = *aa_lookup_perms(rules->policy, state); } else if (profile->net_compat) { - /* 2.x socket mediation compat */ + + /* 2.x socket mediation compat */ perms.allow = (profile->net_compat->allow[family] & (1 << type)) ? ALL_PERMS_MASK : 0; perms.audit = (profile->net_compat->audit[family] & (1 << type)) ? diff --git a/security/apparmor/policy_compat.c b/security/apparmor/policy_compat.c index cfc2207e5a12..59e3cb57e979 100644 --- a/security/apparmor/policy_compat.c +++ b/security/apparmor/policy_compat.c @@ -107,6 +107,8 @@ static void compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa, perms->allow |= AA_MAY_CHANGE_PROFILE; if (ACCEPT_TABLE(dfa)[state] & 0x40000000) perms->allow |= AA_MAY_ONEXEC; + if (ACCEPT_TABLE(dfa)[state] & 0x10000000) + perms->allow |= AA_CONT_MATCH; } static struct aa_perms compute_fperms_user(struct aa_dfa *dfa, @@ -216,6 +218,8 @@ static struct aa_perms compute_perms_entry(struct aa_dfa *dfa, perms.allow = dfa_user_allow(dfa, state); perms.audit = dfa_user_audit(dfa, state); perms.quiet = dfa_user_quiet(dfa, state); + if (ACCEPT_TABLE(dfa)[state] & 0x10000000) + perms.allow |= AA_CONT_MATCH; /* * This mapping is convulated due to history.